New open-source app extracts passwords stored in Mac OS X keychain

A software developer has released an open-source app for the Mac that, when run with administrator privileges, dumps all the passwords belonging to other people currently logged on to the machine.

Within hours of the release of Keychaindump by Helsinki-based Juuso Salonen, other Mac experts were downplaying its significance. "News flash, root can also format your hard drive, news at 11," OS X serial hacker Charlie Miller wrote on Twitter, referring to the "root" account that by definition has unfettered privileges in operating systems. "Root is totally a dick, he stole my prom date in high school!" another exploit developer known as thegrugq responded.

Their point is that the Keychaindump's ability to root out passwords isn't a vulnerability or even an oversight by Apple engineers. It's a necessary design with parallels that can be found in any advanced operating system, including Microsoft Windows and various distributions of Linux. Labeling it as a "bug" or a "vulnerability" is like claiming a meat slicer is flawed because it can saw through the finger of the person using it.

That said, Salonen's software and an accompanying blog post appear to be the first time anyone has documented the inner workings of the widely used Mac Keychain and released attack code built on those findings. Salonen says his app is "far from perfect," but he also says it "seems to work well" at scouring the internal memory of Macs for the passcodes all currently logged-in account owners enter to access passwords stored on their personal keychains. And that includes the passcode for the root user.

"If I'm writing a virus, I will use this code," said Rob Graham, who as CEO of penetration testing firm Errata Security regularly writes software exploits to test the security of his clients. "We've always known it's possible. It's just a matter of someone actually writing code for that part of the keychain."

One application for such code would be for malware writers who want to collect as much information as possible on the people using a targeted Mac. By dumping the entire contents of a user's keychain, the passwords for virtually every WiFi network, e-mail account, and website account are quickly in the hands of the attacker. With the rise of the Flashback malware that infected an estimated 650,000 Macs or new strains of Mac-based espionage trojans targeting Chinese dissidents, it's not hard to imagine code like Salonen's being employed to give them powerful new capabilities.

What's more, the password extraction method is significantly faster than attempting to brute-force crack a strong account password. That's because OS X stores account passwords using the PBK2F2 key derivation function, which, as Ars recently explained, was designed to thwart cracking attacks by requiring large amounts of time and computing resources to convert plaintext into cryptographic hashes.

"Encrypted many times over," in "Russian-doll fashion"

According to Salonen, keychain files are "encrypted many times over" in a fashion similar to the way one Russian doll fits inside the next. The OS X system uses a variety of keys, including one derived from the account password belonging to the user who owns the password keychain. Once a user has unlocked that list, the password is converted into a 24-byte master key and stored in a part of computer memory reserved for a security process known as "securityd." With a little more research, the developer found a common structure in this memory region that points to the master key. It contains an 8-byte size field with the value of "0x18 (24 in hex)."

Keychaindump uses what's known as pattern recognition to search for the pointer and then test the following value to see if it's a master key. A Master key will reveal an intermediate key called a "wrapping key." Using a hard-coded "obfuscation key," the wrapping key in turn reveals an encrypted "credential key," which, at last, reveals the user's plaintext password. Salonen credited fellow developer Matt Johnston for the research into the decryption steps.

Running the code produced the following output, where actual passwords and usernames were replaced with x's:

As we made clear earlier in this post, there's no vulnerability here. Aside from following longstanding security advice to use lower-privileged accounts whenever possible and log out of those accounts when they're not in use, there's not much anyone can do to prevent these types of attacks. Update: Salonen points out in his blog post users can take additional steps to lock and unlock their keychain; Apple has more here.

None of this, however, means Salonen's app, which runs on OS X Lion and Mountain Lion, isn't of value, either to black-hat hackers or the white-hats who work to stop them.

Cool...I knew there was a reason why I never used Keychain on my Macs.

I use 1password...so I'm waiting for the day when that will be cracked then my myriad of 16+ character jibberish passwords I have strewn across the internet will be rendered useless. Then I'm fucked.

Don't use the same password on different sites. checkDon't use common words or phrases that a dictionary database can brute-force easily. checkUse a password manager to keep track of all those different passwords. Um...sure...unless...um...that gets hacked somehow....um...

There's nothing in Goofball_Jones's post to indicate it was meant to be humorous. The very first sentence shows a fundamental misunderstanding (because this isn't a reason not to use Keychain and no other manager would help) and then it goes on from there. "Lolol cabin in Montana", that's the height of wit on a tech site? Talking about root kits always has potential for some fun technical discussions, disappointing that's missing from both comments and article. Now that I think about it perhaps it would be possible to segment some memory to be off limits for reading even by root without hardware, and protect the kernel as well, but that's over my head beyond speculation.

Reader: "WHERE DO YOU GET OFF CALLING IT DARK IN HERE??!! HYPERBOLE MUCH? CLEARLY THERE IS NOT A COMPLETE ABSENCE OF PHOTONS SINCE I CAN STILL SEE SO AT THE MOST YOU SHOULD CALL IT DIM...THOUGH EVEN THAT IS RELATIVE. WAY TO RESORT TO SENSATIONALISM! I SWEAR...THE QUALITY OF REPORTING ON ARS HAS GONE WAY DOWNHILL EVER SINCE THEY SOLD OUT TO CONDE. THAT'S IT #%$#@ YOU AND YOUR @$#^* SITE. I AM NEVER READING THIS TRIPE AGAIN, @%#@*! THIS WILL BE MY LAST COMMENT EVER!!

Author: ...

Reader: Oh, also, you said 'in' twice. THIS WILL BE MY LAST COMMENT EVER!

Edit: I have accused Ars of sensationalism and poor reporting myself (and stand by my statements) so this is somewhat self-deprecating.

135 Reader Comments

Cool...I knew there was a reason why I never used Keychain on my Macs.

I use 1password...so I'm waiting for the day when that will be cracked then my myriad of 16+ character jibberish passwords I have strewn across the internet will be rendered useless. Then I'm fucked.

Don't use the same password on different sites. checkDon't use common words or phrases that a dictionary database can brute-force easily. checkUse a password manager to keep track of all those different passwords. Um...sure...unless...um...that gets hacked somehow....um...

On the one hand, it is true that if you have root, you can access anything on that machine. On the other hand, it certainly is at least theoretically possible to have per-user encryption that even the root user could not bypass. I would not call this a vulnerability, but perhaps poor user privacy protections.

Aside from following longstanding security advice to use lower-privileged accounts whenever possible and log out of those accounts when they're not in use, there's not much anyone can do to prevent these types of attacks.

In principle at least a few kinds of security would be mildly resistant to this. Anything using PKI and supporting use of a proper PKI token/smartcard could at least keep the private key protected (for already existing stuff or if they air gapped), so signing messages/applications and so forth would get compromised. Even that is pretty minimal in value though, both because not many services make use of that scheme and because if someone has root access then they'll still be able to read all the data. For existing computers gaining root mostly means it's all over, on the Mac about the best you can do is change kern.securelevel back up to 1 and then make use of of the system immutable flag on key system files and perhaps tripwire software. That's certainly a bit of a pain though, and requires dropping out of muliuser mode anytime any updates need to be applied.

So, does this use root privileges even though most Macs don't have root enabled? Apple is wise to make it hard to enable root in the first place.

Keychain has always been a bit of a pain point. Especially when working in an Active Directory environment. Having to change the Keychain master password to match your AD password is probably not a safe practice, but makes using a Mac on a Windows domain tolerable.

Cool...I knew there was a reason why I never used Keychain on my Macs.

I use 1password...so I'm waiting for the day when that will be cracked then my myriad of 16+ character jibberish passwords I have strewn across the internet will be rendered useless. Then I'm fucked.

Don't use the same password on different sites. checkDon't use common words or phrases that a dictionary database can brute-force easily. checkUse a password manager to keep track of all those different passwords. Um...sure...unless...um...that gets hacked somehow....um...

Throw away all technology devices and go live in a cabin in Montana.

I understand there's one available in Lincoln, Montana. It's pretty remote and became available on market around 1996. Could be a good deal.

On the one hand, it is true that if you have root, you can access anything on that machine. On the other hand, it certainly is at least theoretically possible to have per-user encryption that even the root user could not bypass. I would not call this a vulnerability, but perhaps poor user privacy protections.

There is per user encryption. The way I read it this can only grab passwords for users that are already logged in. So even if someone gets root on your system, unless you are logged in all your passwords are safe. If anything this shows how well Apple designed the system.

On the one hand, it is true that if you have root, you can access anything on that machine. On the other hand, it certainly is at least theoretically possible to have per-user encryption that even the root user could not bypass. I would not call this a vulnerability, but perhaps poor user privacy protections.

OK, so just for those with slightly less than average intelligence (like me), is the point here that if you're able to successfully log on to an OS X machine as an administrator, you can do a lot of harm or look at the files on that machine?

Cool...I knew there was a reason why I never used Keychain on my Macs.

I use 1password...

Which does nothing. If an attacker has root 1P isn't going to help you one bit.

pusher robot wrote:

On the one hand, it is true that if you have root, you can access anything on that machine. On the other hand, it certainly is at least theoretically possible to have per-user encryption that even the root user could not bypass.

Wrong (or at least, not without an even lower level of hardware protection outside of the operating system's control). "Anything" includes active memory, modifying the kernel or any libraries, frameworks or utilities, full access to all input from all peripherals, etc. What you're suggesting is the same principle as DRM and why it fails: at some point, if you can see the data then they key has got to be somewhere unprotected. The system does not run on magic. If you're the owner, then while it may get obfuscated they key is there for the finding and taking. Or any one of a large number of alternate indirect attacks can get applied.

Short of hardware protection or maybe level 0, the final protection is backups, preferably signed and on WORM media of some sort (or on another different system that is massively locked down). If a system gets rooted it's almost never even worth the bother (unless you're a researcher or curious) to try to determine exactly what was done, it's time to just nuke, pave, and restore.

If Keychain was designed properly, each user account and each individual application would have its own encryption key, or at the very minimum its own salt to generate a unique encryption key, so that no other users/apps could decrypt that information.

OK, so just for those with slightly less than average intelligence (like me), is the point here that if you're able to successfully log on to an OS X machine as an administrator, you can do a lot of harm or look at the files on that machine?

Let me know if I am off base.

The problem is that passwords in OS X aren't properly protected. Anyone with administrator access (or physical access to the machine via Remote Disk) can get every password stored in Keychain. This is a pretty huge issue.

If Keychain was designed properly, each user account and each individual application would have its own encryption key, or at the very minimum its own salt to generate a unique encryption key, so that no other users/apps could decrypt that information.

Apple fail.

I 100% agree that there are things Apple can do to harden the design of Keychain.

They could for example randomize the structure, so a brute force approach like this, could not be used. The problem of course is that OS X still would need to locate it, I am sure something can be done, the source for this tool can and should be looked to harden the security of the Keychain itself.

I don't agree that this is an "Apple Fail" because it really isn't. This problem can be solved and should be solved, before the next major release of OS X because this tool makes using Keychain a security risk.

I thought Linux hashed passwords when they are stored, so all someone with root access can get ahold of is the hashes, not the plaintext passwords.

For authentication, this is true (and OS X does the same thing). What Keychain does, on the other hand, is store passwords that have to be decrypted later (for use on web sites, within applications, etc.) You can't hash a password that you later need to retrieve.

The issue at hand is that Apple hasn't properly protected that data. If they had done it right, the encryption key used would be unique to each user/app combination, so only the app that stored the password would have the data to decrypt it, and only for the user that stored it. But Apple didn't do that... they use a single master encryption key that is apparently easily obtainable.

I don't think it's accurate to say the article you link to calls the Windows behavior a vulnerability. Can you quote the sections you're referring to?

The very first paragraph:

Quote:

Our recent feature on the growing vulnerability of passwords chronicled the myriad ways crackers extract clues used to guess other people's login credentials. Add to that list a password reminder feature built in to recent versions of Microsoft's Windows operating system.

I thought Linux hashed passwords when they are stored, so all someone with root access can get ahold of is the hashes, not the plaintext passwords.

For authentication, this is true. What Keychain does, on the other hand, is store passwords that have to be decrypted later (for use on web sites, within applications, etc.) You can't hash a password that you later need to retrieve.

The issue at hand is that Apple hasn't properly protected that data. If they had done it right, the encryption key used would be unique to each user/app combination, so only the app that stored the password would have the data to decrypt it, and only for the user that stored it. But Apple didn't do that... they use a single master encryption key that is apparently easily obtainable.

They also placed it in a structure that can be recongized by a simple pattern recognition which allows for a trial and error approach.

Cool...I knew there was a reason why I never used Keychain on my Macs.

I use 1password...so I'm waiting for the day when that will be cracked then my myriad of 16+ character jibberish passwords I have strewn across the internet will be rendered useless. Then I'm fucked.

Don't use the same password on different sites. checkDon't use common words or phrases that a dictionary database can brute-force easily. checkUse a password manager to keep track of all those different passwords. Um...sure...unless...um...that gets hacked somehow....um...

That works great until someone gets access to your email account and can then back-track to reset your beautiful 16+ character gibberish passwords.

The difference is that this requires root access, whereas the other does not.

So revealing a password hint (which is not the password) is more of a vulnerability than the ability to reveal passwords? Seems like two different definitions of vulnerability to me.

Don't believe everything you read in Ars comments, doubledeej. Contrary to what kleinma wrote, the article never called the Windows behavior a vulnerability.

Ars readers are encouraged to check their facts before posting comments.

If anyone reads both articles and doesn't sense a biased towards Apple in the way the 2 issues are presented, then they are too far gone as Apple fanboys themselves. The very first paragraph you say: paraphrasing: "to add to the password vulnerability list, windows password hints"

I thought Linux hashed passwords when they are stored, so all someone with root access can get ahold of is the hashes, not the plaintext passwords.

For authentication, this is true (and OS X does the same thing). What Keychain does, on the other hand, is store passwords that have to be decrypted later (for use on web sites, within applications, etc.) You can't hash a password that you later need to retrieve.

The issue at hand is that Apple hasn't properly protected that data. If they had done it right, the encryption key used would be unique to each user/app combination, so only the app that stored the password would have the data to decrypt it, and only for the user that stored it. But Apple didn't do that... they use a single master encryption key that is apparently easily obtainable.

Okay, so the article effectively says the "same issue applies to Linux" as part of justifying why this isn't a "vulnerability". Wouldn't the correct statement be "the same issue applies to <insert name of GNOME or KDE keyring/password manage here>"? And does it even? Maybe they are better designed.

I don't think it's accurate to say the article you link to calls the Windows behavior a vulnerability. Can you quote the sections you're referring to?

The very first paragraph:

Quote:

Our recent feature on the growing vulnerability of passwords chronicled the myriad ways crackers extract clues used to guess other people's login credentials. Add to that list a password reminder feature built in to recent versions of Microsoft's Windows operating system.

You're misreading that statement. The growing vulnerability involves passwords, as no one who reads the feature being linked to can deny. The reminder feature in Windows, by contrast, belongs to the myriad ways crackers extract clues. The article never refers to the Windows behavior as a vulnerability, period.

I use 1password...so I'm waiting for the day when that will be cracked then my myriad of 16+ character jibberish passwords I have strewn across the internet will be rendered useless. Then I'm fucked.

This "hack" is the same as someone having your master password for 1password. Having the key that unlocks the key chain or the 1password storage is pretty much an insurmountable issue when you have single step security.

If Keychain was designed properly, each user account and each individual application would have its own encryption key, or at the very minimum its own salt to generate a unique encryption key, so that no other users/apps could decrypt that information.

Apple fail.

It does – by default, the login keychain is encrypted using the user’s login password. The problem is that, in order to make it easier to use Keychain, the key is cached in RAM so that the user isn’t prompted for their password every time an app wants to access a keychain item (and it’s not just passwords stored there – apps that use an authentication token often store it there). Keychain settings can be changed to lock after a certain amount of idle time, or when sleeping the computer, which would (I assume) remove the key from RAM, and negate this attack.

If you’re at the point of being able to run root on a machine, surely there’s nothing to stop you (for example) injecting code to log the input into a Keychain password prompt, or creating a fake one, which would achieve the same thing, so I guess that’s why people are shrugging at this one.

The difference is that this requires root access, whereas the other does not.

So revealing a password hint (which is not the password) is more of a vulnerability than the ability to reveal passwords? Seems like two different definitions of vulnerability to me.

Don't believe everything you read in Ars comments, doubledeej. Contrary to what kleinma wrote, the article never called the Windows behavior a vulnerability.

Ars readers are encouraged to check their facts before posting comments.

If anyone reads both articles and doesn't sense a biased towards Apple in the way the 2 issues are presented, then they are too far gone as Apple fanboys themselves. The very first paragraph you say: paraphrasing: "to add to the password vulnerability list, windows password hints"

More generally, it's pretty clear that you and I have a fundamental difference of opinion on this point. I think we'll just have to agree to disagree. Let me just add this: I find it pretty surprising that someone is claiming I treat Apple with a deference I don't show to Microsoft. I've been accused of a lot of things in Ars comments, but that's a first.

Does this extractor rely on the Keychain unlock password being the same as the Admin password? That is the default setup, but it isn't mandatory. On my Mac I have multiple keychains, some of which have different passwords.

If admins can access all keychains regardless of their individual passwords, I would call that a true vulnerability. Keychain, FileVault, etc should be able to defend their contents from unauthorized access, even against someone with root permissions.

OK, so just for those with slightly less than average intelligence (like me), is the point here that if you're able to successfully log on to an OS X machine as an administrator, you can do a lot of harm or look at the files on that machine?

Let me know if I am off base.

The problem is that passwords in OS X aren't properly protected. Anyone with administrator access (or physical access to the machine via Remote Disk) can get every password stored in Keychain. This is a pretty huge issue.

Where are you getting that? (emphasis mine)

author wrote:

A software developer has released an open-source app for the Mac that, when run with administrator privileges, dumps all the passwords belonging to other people currently logged on to the machine

If Keychain was designed properly, each user account and each individual application would have its own encryption key, or at the very minimum its own salt to generate a unique encryption key, so that no other users/apps could decrypt that information.

Apple fail.

...I don't agree that this is an "Apple Fail" because it really isn't. This problem can be solved and should be solved, before the next major release of OS X because this tool makes using Keychain a security risk.

If this isn't a failure on Apple's part I'm not sure what is. They clearly didn't implement near enough security into the way they're storing passwords. A properly designed system wouldn't allow this. And it is very much a technical possibility to do so. And it isn't even difficult. Each application assigns its own key, which is combined with a user-specific key, and that key is used to encrypt the password.

You don't see LastPass having this kind of issue. They are doing password storage properly. The key to decrypt their passwords is generated from the master username/password to the account, so not even LastPass personnel, who could potentially have access to the raw data, can decrypt any password because they have no way of obtaining the decryption key.

If this isn't a failure on Apple's part I'm not sure what is. They clearly didn't implement near enough security into the way they're storing passwords. A properly designed system wouldn't allow this. And it is very much a technical possibility to do so. And it isn't even difficult. Each application assigns its own key, which is combined with a user-specific key, and that key is used to encrypt the password.

You don't see LastPass having this kind of issue. They are doing password storage properly. The key to decrypt their passwords is generated from the master username/password to the account, so not even LastPass personnel, who could potentially have access to the raw data, can decrypt any password because they have no way of obtaining the decryption key.

I don't believe there's any difference between Keychain, LastPass or 1Password on this point. If your keychain is at rest on the disk, nobody is going to be able to get into it without bruteforceing the password, which is not an easy task on any properly designed keychain system. If the keychain is 'open' so that passwords can be pulled out without you reentering your master password each time, the data is accessible to anyone with administrator access and a bit of knowledge of the system.

To put it another way, Apple couldn't pull your passwords out of a shutdown Keychain anymore than LastPass engineers could do the same with your LastPass file.

You don't see LastPass having this kind of issue. They are doing password storage properly. The key to decrypt their passwords is generated from the master username/password to the account, so not even LastPass personnel, who could potentially have access to the raw data, can decrypt any password because they have no way of obtaining the decryption key.

Maybe I'm missing something but I don't see the difference. The default keychain also uses the account password and you have the option of creating other keychains with their own passwords. Not even Apple personnel can decrypt a password.